Loading ...
Fred C Th...
Technology & Engineering
Technical-Engineering Publi...
21
0
Try Now
Log In
Pricing
0018-9162/03/$17.00 © 2003 IEEE 2 Computer Penny Tag Technologies for Removable Data Storage M anufacturers commonly use tags or markers to authenticate and identify commercial products. Some typical applications for authenticating a prod- uct’s source include visual holograms on software packaging, fluorescent spectrally encoded fibers in a garment’s brand label, and hid- den microscopic brand marking of aerospace parts. Applications that identify products, either indi- vidually or within a class, are most ubiquitous in retail and warehouse logistics. Retailers, manufac- turers, and distributors spend more than $10 bil- lion per year to purchase bar codes and their associated systems for use in tracking countless bil- lions of dollars in merchandise. These low-cost structured ink markings allow for quick and reli- able product identification within a virtually unlim- ited inventory system. Radio frequency (RF) coil tags are another product identification technology used to reduce retail theft. In this case, sensors can detect the tags if they were not deactivated when the merchandise was purchased. Authentication and identification technologies have also found applications in removable data storage. For example, cartridge identification sys- tems can protect a drive from damage that inserting a foreign object might cause. They can also help manage forward and backward media format com- patibility; let drives identify media types for reduced spin-up and data-access time; and create unique, unalterable, and authenticatable media serial num- ber implementations for digital rights management (DRM) and enterprise security. One beneficial implementation of the technology is its use to authenticate parts and prevent counterfeiting in var- ious industries. The primary difference between retail and removable data storage applications is cost con- straints. The applications for retail settings require human intervention or instrumentation costing hundreds, if not thousands, of dollars. However, the authentication and identification of removable data storage cartridges must be automated at a very low cost. The Massachusetts Institute of Technology Media Lab has dubbed these low-cost authentica- tion and identification technologies penny tags. MIT’s ongoing program to explore and develop penny tag applications and technology has evolved into the Auto-ID Center (www.autoidcenter.org), which focuses on establishing a low-cost RF ID tag standard. FIELD-PROVEN TAG TECHNOLOGIES The varying requirements of specific systems have driven the progression of Iomega’s penny-tag tech- nologies, described in the “Evolution of Iomega Removable Storage Products” sidebar. These tech- nologies have different features, depending on the requirements of a particular storage system. Media unique serialization High-capacity magnetic removable data storage typically involves a factory servo write process and a factory media verification process. These manu- facturing processes can write a unique serial num- Low-cost authentication and identification methods for removable data storage cartridges are the focus of ongoing research. Unlike other security methods, these “penny tag” technologies must be automated for use in a removable data storage drive. Fred Thomas Iomega C O V E R F E A T U R E Published by the IEEE Computer Society ber to the media in an area that is not rewriteable by drives in the field, such as in areas for grey codes and flagged sectors. Iomega has applied these unique serial numbers to all its removable magnetic media products dat- ing back to the Bernoulli boxes of the 1980s. Retroreflective tags A retroreflective tag (retrotag) produces a struc- tured or patterned reflection of light from the removable data storage cartridge that disk drives can uniquely discriminate from other types of reflections. The “Patents for Removable Data Storage Tag Technologies” sidebar provides addi- tional information about patents on this and other related technologies. The Iomega retrotag used on Zip and Jaz cartridges has an array of corner cubes molded into a clear, optical plastic tag. This tag is similar to a roadside retroreflective safety marker. July 2003 3 The evolution of building cartridge identification and authen- tication into a removable data storage drive at Iomega illus- trates the varied requirements of this technology. Initially, when Iomega’s researchers created the Zip 100 (super floppy), they felt that the drive needed a means other than the cartridge’s physical size to discriminate between a func- tional Zip disk and a foreign object. This was mainly because the 3.5-inch floppy fit into the Zip drive media opening. A floppy could, upon insertion, cause the drive to launch its read- write heads onto the foreign object and destroy the drive. Hence, the retroreflective tag (retrotag) was introduced and is used on the Zip 100, Jaz 1 Gbyte, and Jaz 2 Gbyte products. The evolution of the Zip 250 and Pocket Zip (Clikl! 40 Mbyte) produced two new sets of requirements. The Zip 250 drive reduced data track size and differing data and servo fre- quencies from the original Zip 100. Economics and the desire to have Zip 100 media compatible with the new 250 drove the decision to make it the same size and shape as the Zip 100 car- tridge. However, inserting a Zip 250 cartridge into a Zip 100 drive would potentially destroy the drive. A technology that would cause the Zip 250 cartridge to be ejected automatically upon insertion into a Zip 100 drive was ultimately necessary. This new tag system also needed to allow for Zip 100 inser- tion into a Zip 250 drive and appropriate detection and access to the previous generation cartridge. Iomega needed to retain its foreign-object protection func- tionality and, if possible, the ability to identify multiple types of the new tag. This capability would be advantageous for future cartridge backward and forward compatibility man- agement scenarios. The Pocket Zip 40-Mbyte drive’s small size and the reduced working distances between the cartridge and any identification system in the drive made the Zip 100 retrotag discrimination physics unworkable. This product also needed to support the licensed distribution of music content directly from recording houses to consumers’ handheld play devices. This made authen- tication of the media’s source part of the new technology requirements. These requirements in aggregate drove the development of two parallel path tag technologies: the latent-irradiance-tag and the holographic-tag (X-LSD). The ability of both tech- nologies to support identification of multiple authenticatable tag types opens the path for implementing various specialty media types such as cleaning disks, computer access authenti- cation disks, drive-calibration disks, and restricted drive firmware upgrade paths. The need for a technology that would offer an unalterable media serial number source for robust DRM implementations also fueled the development of the laser-marking technology or disk indelible utility mark (DIUM) for the Pocket Zip. Most recently, work on robust DRM and enterprise security imple- mentations has focused on means for including source-protected cryptographic keys within the removable data storage cartridge. To this end, the Peerless cartridge includes a smart card-directed secure memory with cryptographic authentication IC in its design. This seems to be a good direction for removable media, which has a native electrical interface with the drive platform. Evolution of Iomega Removable Storage Products Patents for Removable Data Storage Tag Technologies The patents issued for retroreflective tags (retrotags) and other iden- tification and authentication technologies for removable data storage include the following: • F. Thomas, Retroreflective Marker for Data Storage Cartridge, US patent 5,638,228, Patent and Trademark Office, Washington, D.C., 1997. • F. Thomas, Thin Retroreflective Marker for Data Storage Cartridge, US patent 5,986,838, Patent and Trademark Office, Washington, D.C., 1999. • F. Thomas and G. Dixon, Latent Illuminance Discrimination Marker System for Authenticating Articles, US patent 6,264,107 B1, Patent and Trademark Office, Washington, D.C., 2001. • F. Thomas, Readable Indelible Mark on Storage Media, US patent 6,324,026 B1, Patent and Trademark Office, Washington, D.C., 2001. 4 Computer Figure 1 illustrates retroreflection in contrast with the two other principal types of reflection from objects that might be inserted into a drive: specu- lar and diffuse. Retroreflection is principally light reflected back at the source of the illuminating radi- ation. This property clearly defines the reflection’s location, and its magnitude at that location is large relative to what equivalently sized diffuse or spec- ular reflectors would provide. Another retrotag characteristic is that the illu- mination and detection system’s location relative to the tag is flexible. In Iomega drive implementa- tions, a proximate LED and phototransistor/pho- todiode pair are positioned on the drive printed cir- cuit board (PCB) below the retrotag location on the cartridge when the cartridge is fully in the drive. As long as a significant portion of the LED irra- diance is hitting the tag and the emitter/detector pair is within approximately a 40-degree cone of the tag’s centroid, the system works well as a reflec- tion-type discriminator. This latitude in locating the detection system provides flexibility in designing future compatible drive platforms. It also allows a generous tolerance of the retrotag’s alignment to the detection system during manufacture. The images in Figure 2 illustrate a bug’s eye view of the reflection from a Zip retrotag from the loca- tion where the LED is illuminating the tag in the drive. A laser beam profiling software program and a frame-grabber system based on a charge-coupled device were used to generate these images. The superposition of the array of 12 corner cubes found on the tag creates the reflection’s hexagonal structure. The hexagonal reflection’s size at the short working distances used in drive implementations is principally twice the diagonal size of the corner cubes. To take advantage of this bright structured reflec- tion, the detection device (phototransistor or pho- todiode) must be proximal to the LED, which is located at the hexagonal reflection’s center. Therefore, the corner cubes’ size must be physically matched to the separation distance on the PCB between the emitter and detector the system uses. In Figure 2, this distance is approximately 2.5 mm. Figure 2 shows that the reflections from a retro- tag are essentially localized to a small hexagonal area. Based on this reflective localization, we can create an even more effective discrimination sys- tem by adding a second photodetector positioned slightly outside this reflective lobe and using the dif- ference between the signal inside the lobe and out- side the lobe as the retrotag discrimination signal. In fact, for the most difficult possible reflective sources that this system is intended to discrimi- nate—specular reflectors such as metal foil or a pol- ished shutter on a 3.5-inch floppy disk—this system enhancement improves performance significantly. Figure 3a shows a contour plot for probability of discrimination of a specular reflector from a retro- tag for the original single-detector system, and Figure 3b shows a contour plot for the differential dual-detector system. A Monte Carlo analysis sys- tem model generated these plots, which include empirical data on the reflective variability of the two different types of reflective markers among 20 other system variables with their distributions modeled. The white sloping bands in Figures 3a and 3b Specular (mirrorlike) Diffuse Retroreflection (b) (c) (a) Figure 1. Principal types of reflection contrasted: (a) specular (mirrorlike), (b) diffuse, and (c) retroflection. Figure 2. Reflective irradiance pattern of Zip 100 retrotag. The reflected irradiance in the structure is brightest in the hexagon’s lobes where the photo- sensitive detector is placed. denote the region of 100-percent specular reflec- tive foreign-object discrimination as a function of the system’s photodetector gain (y) and the retrotag detection threshold voltage (x). These figures demonstrate that adding a $0.20 phototransistor to the design can broaden the 100-percent dis- crimination band by more than 60-fold. Holographic tags The large geometric size (2.5 mm) of the corner cubes used for reflection with the retrotag creates a structured irradiance pattern around the illumi- nating source LED. Holographic-tag technology does principally the same thing but with signifi- cantly more flexibility in the geometry of the struc- tured, reflected light pattern. This follow-on invention uses the combination of a tiny retrore- flective array material (150 microns across corner cubes) with a refractive holographic light shaping diffuser (LSD) material. Laminating these plastic film materials together creates a reflector, which in turn creates an assortment of structured light pat- terns upon reflection. Figure 4 shows the reflected irradiance pattern that an X Light Shaping Diffuser (X-LSD), a holographic tag used on data storage cartridges, generates. The point at which the axes cross is the illuminating LED’s location. To use the X-LSD for tag identifica- tion, three phototransistors are placed on the drive PCB on three axes separated by 45 degrees around the LED. The tag-cartridge identification is based on reflective illumination of the phototransistors. In this case, in which the tag has three photodetectors, the system can detect eight separate states. Latent-irradiance tags Latent-irradiant materials—more commonly described as fluorescent and phosphorescent—glow after being irradiated with light. The characteristic that distinguishes between fluorescent and phos- phorescent materials is that the time period of light re-emission is longer than 10–8 seconds for phos- phorescent materials and shorter for fluorescent materials. The output spectra of different latent-irradiance materials have a distinguishing amplitude profile when illuminated with light having color within their absorption bands. Stokes materials irradiate at wave- lengths longer than the stimulating irradiance, and anti-Stokes materials irradiate at shorter wavelengths. Researchers have historically used the differen- tiation in spectral profiles of various latent-irradi- ance materials for authentication. For example, the fluorescent fibers in a $100 bill glow red when they are irradiated with a UV source. A respected British scientist working in this area once told me that MI5 secret agents (made famous by the fictional agent 007, James Bond) wore phosphorescent authenti- cation rings during World War II. In these cases, July 2003 5 Figure 4. Reflected irradiance pattern for X-LSD holographic cartridge tag. The point at which the axes cross is the illuminating LED’s location. Figure 3. (a) Single-detector cartridge discrimination performance (retrotag ver- sus specular reflector). (b) Dual-detector cartridge discrimination performance (retrotag versus specular reflector). 0 1 2 3 4 5 Detection threshold voltage (volts) (b) 0 1 2 3 4 5 Detection threshold voltage (volts) (a) 1 2 3 4 On-axis gain (volts/amp × 105)1 2 3 4 On-axis gain (volts/amp × 105)10 20 30 40 50 60 70 80 90 100 100 100 100 10-90 6 Computer authentication requires using either simple visual ID of a color or an elaborate and expensive photo- spectral analysis instrument. In Iomega’s patented technology for reducing the cost of a drive-automatable ID and authentication system, a single photodetector acquires a combi- nation of spectral and temporal information from a latent-irradiance tag. After illuminating the tag with an LED within the tag’s absorption band, a photodectector with a low-cost, dye-based poly- mer filter can monitor both the decay time and the temporal profile of the latent irradiance that the tag emits. Blending combinations or matrices of different phosphor components can create multiple decay profiles, much like combining discrete frequencies in a Fourier series can describe any arbitrary piece- wise temporal function. Figure 5 illustrates the typ- ical exponential temporal decay profile of a single constituent phosphor component used to create such a matrixed latent-irradiance material. This temporal information is extracted from the data storage drive’s microprocessor to identify and authenticate different tags types. Security phosphors are a class of latent irradi- ance materials typically used for authentication on currency and other financial instruments. Developers can engineer these latent-irradiance materials so that they present a significant reverse- engineering hurdle to those trying to replicate their spectral and temporal response. Generally, a phosphor matrix’s response is fab- rication-process dependent, so that constituent analysis only partially discloses information. In addition, numerous masking and obfuscating meth- ods can further thwart reverse-engineering efforts, making this a robust means of authentication. A potential future application that leverages this secu- rity feature is to use a drive’s read-write laser as the excitation source for DRM protection of content on optical data storage media. Laser-marked media The disk indelible utility mark (DIUM) is a laser- marking system that ablates a microscopic bar code into the media’s magnetic recording layer. In one sense, this is a high-tech cattle brand for media. Figure 6 shows a magnified image of a DIUM on a piece of flexible magnetic data storage media. Four copies of the same code, which is several data tracks wide, are ablated for redundancy at the disk’s inner diameter. This technology creates an unalterable media ser- ial number that a drive’s magnetic head can read, but the drive cannot replicate it with a magnetic write operation. Because the mark, or code, is ablated into the media, overwriting it with a mag- netic tone does not erase it. In practice, the drive firmware implementation of a DIUM-read consti- tutes an AC overwrite of the mark to ensure that the encode data is ablated and genuine. The amortized costs of this technology for a removable data storage cartridge can be as low as one cent per disk. Analogous implementations for optical phase change media are also possible. Solid-state secure memory devices The Iomega Peerless cartridge has a built-in secure memory device that contains 192 bytes of memory.1 Selectable portions of this memory are fusible at the factory, providing absolute in-the-field inalterability of those locations. Access to this memory requires the drive’s firmware to engage in a cryptographic challenge-and-response protocol that unlocks the device’s secret key. The secure memory device was developed for financial transaction security in smart card appli- cations such as cash-resident debit cards. Peerless drives leverage the SMD’s unalterable feature to provide a trusted source for the DRM media serial number. All Peerless drives support commands for query and return of this unique cartridge-resident media serial number. Figure 6. A disk indelible utility mark on Pocket Zip flexible media. DIUM creates an unalterable media serial number that a drive’s magnetic head can read but not replicate. Time (µsec) Intensity (volts)4.0V 3.6V (90%) 0.4V (10%) t0 t1 t2 t = t1 – t2 t0 flood LED turned off Figure 5. Typical temporal signal profile of a latent-irradiance material. The detection circuitry for this signal can implement automatic gain control (AGC) techniques. These implementations provide a significant level of system measurement robustness with varying signal amplitude. Any removable data storage drive that incorpo- rates an SMD also can leverage this digital and physical information safe by storing an assortment of security information in it. These codes enable many interesting data security applications includ- ing robust DRM support. This SMD-embedded information would include a series of crypto- graphic keys and sequences as well as the cartridge’s unique media serial number. SMD-embedded codes offer an asymmetric,2 or public-private encryption, technology that imple- ments a secure-pipe delivery of the media serial number to host PC DRM applications. In a secure pipe, the media serial number is provided to the DRM software application on the drive-attached host PC in an encrypted string so that it is resilient to attacks from software shims and emulators. Content providers in the music, video, and pub- lishing industries can use this technology to robustly tie their content to an individual remov- able data storage cartridge. A cartridge-supported application of this tech- nology stores a subset of public-key hashes on the SMD to facilitate cryptographic drive authentica- tion of software and hardware querying devices. To support enterprise-centric data-security solutions, a second portion of the secure memory device can store encryption keys. This implementation specif- ically addresses concerns about employees who are intent on removing proprietary digital content. It maintains the flexibility and transportability of data within the enterprise that removable data storage cartridge technology inherently provides. Although SMD offers significant flexibility and utility, the system architecture requires direct elec- trical connectivity to the removable data storage cartridge with the drive. RELATIVE IMPLEMENTATION COSTS Depending on the cost, technical, and market requirements of a particular removable data stor- age system, one system might prove more com- pelling than another. For these systems, it is not enough to have a low-cost tag technology; the drive-based automated detection system must be low cost as well. Table 1 summarizes the approximate costs for implementing these penny tag systems on a remov- able data storage cartridge as well as in the mating drive. The detection cost listed for latent-irradiance tags assumes that a drive microprocessor is avail- able with access to a multiplexed analog-to-digital converter. The fourth column in the table is anno- tated with six abbreviations that summarize the principal obstacles of tag forgery and, hence, com- promise of the tag system’s authentication attrib- utes. The last column places an order of magnitude estimate on the number of identifiable different states that the tag technology and detection system can support. The infinity symbol means at least tens if not hundreds of bits. I omega has developed a cadre of low-cost penny tag technologies with associated low-cost auto- mated detection systems for removable data storage cartridge identification and authentication. In particular, the latent-irradiance technique remains under most active development at Iomega. Patents issued to Iomega on the temporal signal discrimination techniques for latent-irradiance sig- nals make licensing this technology to third parties for other applications a possible future direction for this work. Potential applications include authenti- cation or identification of items such as optical data storage media, aerospace or nuclear facility fasten- ers, factory authorized auto parts, critical con- struction components, and financial and business instruments such as checks and credits cards. Field-operable detection devices for applications without leverageable in situ electronics, such as a disk drive, can be manufactured in low volumes at July 2003 7 Table 1. Relative cartridge penny tag costs. Technology Tag cost ($) Detection cost ($) Authentication means ID states Written media serial no. 0.00 0.00 Low ∞ Retrotag 0.03 0.75 IP 1 bit Holographic tag (X-LSD) 0.10 1.00 IP, CI, RE 3+ bits Latent-irradiance tag 0.07 1.00 IP, CI, SRE 4+ bits Laser mark (DIUM) 0.01 0.00 IP, CI ∞ Smart-card IC (SMD) 0.40 0.20 to 2.00 Encrypt ∞ Abbreviations: IP: intellectual property; CI: capital investment; RE: reverse engineering; SRE: significant reverse engineering; Encrypt: encryption and other protected secret methods. 8 Computer costs comparable to a volt-ohm meter ($20-$100). With high volume production, such devices could reasonably cost less than $10. The actual cost would depend on the desired level of sophistication. The higher cost of detection presently precludes using powerless RF tags in removable data storage cartridges, except in automated cartridge reposi- tory management for enterprise and government applications where information security and accountability are at a premium. Using security technologies always invokes the issue of raising the bar relative to attack and com- promise. Implementing a variety of such means in tandem further raises that bar. A good example is the implementation of more than 30 authentication features for higher denominations of US currency. Many believe that tag technologies provide inno- vative physical identification and authentication methods that have a high associated overall secu- rity-to-cost quotient. The current use of these tech- nologies in more than 350 million data storage cartridges confirms their field worthiness. ■ Acknowledgments I thank my Iomega colleagues who read the draft of this article and made several useful comments and contributions, especially Dave Griffith, Dave Hall, Todd Shelton, and Tom Wilke. Iomega presently has patents issued or pending on all the removable data storage cartridge penny tag approaches described in this article. References 1. F. Thomas, “Peerless DRM & Enterprise Security- Enabled Removable Data Storage Cartridges (A Dis- cussion of Security Issues and Architectures for Removable Data Storage),” Proc. RSA E-Security Conf. 2002, RSA Security, 2002, www.rsaconference. net/RSApresentations/pdfs/newthu1015_thomas.pdf. 2. B. Schneier, Applied Cryptography, 2nd ed., John Wiley & Sons, 1996, pp. 21-46. Fred Thomas is chief technologist in the Advanced R&D Group at Iomega Corporation. He received an MS in mechanical engineering from Bucknell University. He holds 30 US patents. Thomas’s research interests include developing technologies that make magnetic recording in removable car- tridge implementations more robust, novel optical data storage techniques, low-cost sensors, and dig- ital information security technologies and their implementation. He is a member of SPIE and ASME. Contact him at thomasf@iomega.com.